QAA Privacy Notice 
Who we are 


<J> QAA 


The Quality Assurance Agency for Higher Education ('QAA', 'we' or 'us' or 'our') gathers and 
processes your personal information in accordance with this privacy notice and in 
compliance with the relevant data protection regulation and laws. This notice provides you 
with information regarding your rights and our obligations, and explains how, why and when 
we process your personal data. 

QAA's registered office is at Southgate House, Southgate Street, Gloucester, GL1 1UB and 
we are a company registered in England and Wales under company number 03344784. 

We are also a charity registered in England and Wales with Charity no. 1062746 and in 
Scotland Charity no. SC037786. We and act as data controller and/or data processor when 
processing your data. Our Company Secretary is responsible for overseeing Data Protection 
compliance at QAA and can be contacted at Governance@qaa.ac.uk 

Information that we collect 

QAA processes personal information to meet our legal, regulatory, statutory and contractual 
obligations and to provide you with information, either about our products and services or 
about matters of public interest. We will never collect any unnecessary personal data from 
you and will not process your information in any way other than as specified in this notice 
without telling you first. 

QAA collects personal information from the following: 

Visitors to our websites 

• visitors to our websites, which include: 

qaa.ac.uk 

heer.qaa.ac.uk 

accesstohe.ac.uk 

enhancementthemes.ac.uk 

TEF and the Reviewer Extranet 

Enquirers, visitors and survey respondents 

• people who email QAA or use our contact us forms 

• people who call QAA 

• people who contact QAA via social media 

• people who respond to a QAA survey or consultation 

• visitors to our offices 

People exercising a statutory right 

• people who contact QAA in relation to a data protection subject access request 

• people who contact QAA about the processing of their personal data 

• people complaining about QAA 
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Our Customers 


• people who use our services or attend a QAA event 

• subscriber community members 

• subscribers to QAA News, Enhancement Newsletter or other marketing campaigns 

• people who have given us their permission to contact them with information and 
updates 

Our Colleagues 

• our staff 

• our board and committee members 

• contractors 

• volunteers 

• people who apply to work with us 

• members of QAA working groups 

We also collect personal data to enable us to carry out our statutory duties or regulatory or 
other responsibilities . This can include personal data about: 

• people submitting Concerns about providers of higher education 

• people taking CPD awards offered by QAA 

• the staff, governors, associates, students and external examiners at providers of 
higher education that we review 

• Learners registered for an Access to Higher Education Diploma 


How we use your personal data 

QAA takes your privacy very seriously and will never disclose, share or sell your data without 
your knowledge; unless we are required to do so by law. We only retain your data for as long 
as is necessary and for the purpose(s) specified in this notice. Where you have consented to 
us providing you with promotional offers and marketing, you are free to withdraw this 
consent at any time. The purposes and reasons for processing your personal data are 
detailed below: 


Enquirers, visitors, survey respondents and interested parties 

Purpose of the processing 

To respond to enquiries from the public, provide 
services, inform our products and services and ensure 
the safety of our visitors. 

Legal basis of the processing 

GDPR Article 6(1 )(f) legitimate interest 

Processing is necessary for the purposes of providing 
information to the public; responding to enquiries from 
individuals; recording these responses; providing 
consistent and accurate information and advice; 
ensuring the personal safety of individuals attending our 
premises. 

Categories of personal data collected or 
processed 

Name 

Job title 

Personal email address 

Personal address (correspondents) 

Employer 

Telephone number 

Business email 

Car registration (visitors) 

Any recipient or categories of recipients of the 
personal data 

We do not share the personal details of enquirers. 
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Survey respondents' personal details will be processed 
by the provider of the survey software used to collect 
their responses. We ensure that the agreements we 
have in place with such processors contain adequate 
provisions for the protection of your personal 
information, and/or that your personal data is only 
processed in accordance with our written instructions, 
and you may ask us to see these at any time. 

QAA uses Mailchimp to conduct mailout 
communications and will share recipients' email 
addresses with Mailchimp. 

We will share visitors' details with the security/reception 
providers at our offices. 

If you have given us your permission, we will share your 
contact details with our trading subsidiary company, 

QAA Enterprises Ltd. 

Details of transfers to third country and 
safeguards 

We conduct mailout communications using Mailchimp, 
a service provided by The Rocket Science Group LLC, a 
company based in the United States of America. 

When you sign up to receive QAA News or our 
Enhancement Themes Newsletter your contact 
information may be transferred to Mailchimp in the USA. 
Read Mailchimo's privacy terms. 

The source of the personal data 

Provided by data subject or their authorised 
representative 

Retention period 

Personal data of enquirers - anonymised at closure of 
enquiry - enquiry details retained for 1 year. 

All other information - 3 years 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

The provision of personal information may be part of a 
contractual requirement, if you are visiting our offices on 
behalf of a supplier. Provision of personal information 
may also be a statutory requirement, as it will enable us 
to discharge our health and safety duties to people 
attending our offices. 

In such cases, if you do not provide us with your 
information, you may be refused entry to our premises. 

The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None 


People exercising a statutory right 


Purpose of the processing 

To give effect to the individual's statutory right, 
for example: 

- right to access information by using our information 
request procedure 

- right to access information by making a subject 
access request 

- right to be forgotten 

- right to rectification 

- right to restrict processing 

Legal basis of the processing 

GDPR Article 6(1 )(c) Compliance with a legal obligation 
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Categories of personal data collected or 
processed 

Name 

Personal address 

Personal email address 

Telephone number 

Business email address 

Form of Identification (where required) 

Any recipient or categories of recipients of the 
personal data 

We will only share your data where we are required to 
do so by law, or by the Information Commissioner's 

Office. 

Details of transfers to third country and 
safeguards 

None 

The source of the personal data 

Provided by the individual. 

Retention period 

Up to 3 years from closure of request. 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

The provision of data is part of a statutory requirement. 

If you do not provide us with your data, we may not be 
able to give you the information you request, unless it is 
already available in the public domain. 

The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None. 


Our customers 


Purpose of the processing 

To enable QAA to deliver services and provide 
information effectively. 

Legal basis of the processing 

GDPR Article 6(1 )(b) performance of a contract 

Categories of personal data collected or 
processed 

Name 

Personal email 

Business email 

Telephone number 

Any recipient or categories of recipients of the 
personal data 

If you have given us your permission, we will share 
your contact details with our trading subsidiary 
company, QAA Enterprises Ltd. 

QAA uses Mailchimp to conduct mailout 
communications and will share recipients' email 
addresses with Mailchimp. 

Details of transfers to third country and 
safeguards 

We conduct mailout communications using 

Mailchimp, a service provided by The Rocket Science 
Group LLC, a company based in the United States of 
America. When you sign up to receive QAA News or 
our Enhancement Newsletter, your contact information 
may be transferred to Mailchimp in the USA. 

Read Mailchimo's privacy terms. 

The source of the personal data 

Provided by the individual or by his/her authorised 
representative 

Retention period 

6 years from completion of contract 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

The provision of personal information may be part of a 
contractual requirement, if you are visiting our offices 
on behalf of a supplier. 

Not providing us with your information may lead to you 
being refused entry to our premises. 
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The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None 


Our colleagues 


Purpose of the processing 

To fulfil our contracts of employment. 

To enable resource-sharing with QAA Enterprises, and 
between companies in the M5 group. 

Legal basis of the processing 

GDPR Article 6(1 )(b) fulfilment of a contract 

GDPR Article 9(2)(b) employment, social security 
and social protection legal obligations 

(Special Category Data only) 

Categories of personal data collected or 
processed 

Name 

Personal address 

Personal telephone number 

Job title 

Personal email address 

Date of birth 

National insurance number 

Tax code 

Bank account details 

Proof of identity 

Employment history 

Education history 

Absence history 

Curricula vitae 

Special Category Data 

Nationality 

Information and right to work in the UK 

Ethnicity 

Religious and/or spiritual belief 

Gender 

Sexual orientation 

Trade union membership 

Marital status 

Next of kin details 

Dependants 

Health and/or disability information 

Any recipient or categories of recipients of the 
personal data 

HMRC 

Superannuation Arranaements of the University of 

London (SAUL) and Universities Superannuation 
Scheme (USS) - Pension providers 

PS Financials - Finance svstem 

Concur - Expenses processina svstem 

PCS - Trade union 

COPE - Occupational Health provider 

Members of the M5 Group 

Remedvforce - ServiceDesk svstem 

Select HR - HR svstem 

In all cases, sharing is limited to the information 
necessary for the performance of a function. 
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Details of transfers to third country and 
safeguards 

None 

The source of the personal data 

Provided by individual 

Retention period 

Six years from employment or contract end date for 
employees and contractors. 

Six months from recruitment decision for unsuccessful 
applicants. 

Indefinitely for company directors. 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

Processing is necessary as part of a statutory 
requirement. If you do not provide us with your 
personal data, we may be unable to fulfil our 
employment obligations to you. 

Processing is necessary as part of a contractual 
requirement. If you do not provide us with your 
personal data, we may not be able to fulfil our 
contractual obligations to you. 

The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None 


Personal data collected in the course of our statutory duties or regulatory 
responsibilities 

Purpose of the processing 

To safeguard the standards and quality of UK higher 
education wherever it is delivered around the world 

Legal basis of the processing 

GDPR Article 6(1 )(e) Public interest or exercise of 
official authority 

GDPR Article 6(1)(f) legitimate interest 

Processing is necessary for the purposes of QAA's 
legitimate interest in standards and quality assurance, 
and for the discharge of our duties under the Higher 
Education and Research Act 2017 

Processing may be necessary for the purposes of 
preventing fraud. 

Categories of personal data collected or 
processed 

Name 

Personal email address 

Telephone number 

Address 

Business email 

Job title 

Attendance information 

Academic grades 


Special Category Data 

Nationality 

Ethnicity 

Language competency 

Disability information 

Right to work/study 

Any recipient or categories of recipients of the 
personal data 

We may share information obtained in the course of 
our review or other activity with other bodies, including: 

• the Department for Education 

• the Student Loan Company 

• the Office for Students 

• the Higher Education Statistics Agency 

• the Scottish Funding Council 
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• the Higher Education Funding Council Wales 

• the Department for Education Northern Ireland 

Any personal information shared in this context will 
only be shared if necessary to give effect to the 
intention of the sharing. Information sharing is normally 
covered by an information sharing or non-disclosure 
agreement. 

We share information with Deloitte LLP for the 
purposes of obtaining Financial Sustainability, 
Management and Governance assurances about 
providers under review. Such information is shared 
through a secure upload portal, and its processing is 
governed by the terms of our contract with Deloitte 

LLP. 

Details of transfers to third country and 
safeguards 

Not applicable 

The source of the personal data 

Provided by data subject or their authorised 
representative. 

Collected in the course of QAA Review. 

Retention period 

Any personal information gathered during the course of 
these activities is securely deleted and/or destroyed 3 
months after publication of review report to which it 
relates. 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

Processing is necessary for the performance of our 
statutory and regulatory duties. 

Failure to provide data compromises QAA's ability to 
complete the necessary review. 

The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None 


Learners registered for an Access to Higher Education Diploma 

Purpose of the processing 

To monitor learner registration, achievement and 
awards across approved Access to Higher Education 
programmes. 

To monitor the success of Access Validating Agencies’ 
strategies to promote equality of opportunity between 
people of different ethnic or racial backgrounds, 
different religious beliefs, or different states of physical 
or mental health. 

To feed into QAA annual publications on Access to 
Higher Education participation and achievement. 

Legal basis of the processing 

GDPR Article 6(1 )(e) Public interest or exercise of 
official authority 

Categories of personal data collected or 
processed 

Date of birth 

Age 

Unique Learner Number 

Learner Reference 

Postcode 

Achievement data 

Grade information 

Qualification information 
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Destination 

Source of funding/ funding status 

Benefit status 

Employment/prior employment status 


Special Category Data 

Ethnicity 

Gender 

Language competency 

Disability information 

Learning Difficulty information 

Any recipient or categories of recipients of the 
personal data 

Not applicable 

Details of transfers to third country and 
safeguards 

Not applicable 

The source of the personal data 

Provided bv Education and Skills Fundina Aaencv, 
Department for Education 

Retention period 

Maximum 12 months from receipt, or on completion of 
purpose. 

Whether the provision of personal data is part of a 
statutory or contractual requirement or obligation 
and possible consequences of failing to provide 
the personal data 

Processing is necessary for the performance of our 
statutory and regulatory duties. 

The existence of automated decision making, 
including profiling and information about how 
decisions are made, the significance and the 
consequences. 

None 


Exercising your rights 

If QAA processes personal information about you, you have the right to access that 
information, and to request information about: 

• what personal data we hold about you 

• the purposes of the processing 

• the categories of personal data concerned 

• the recipients to whom the personal data has/will be disclosed 

• how long we intend to store your personal data for 

• if we did not collect the data directly from you, information about the source. 

In some cases, if you believe that we hold any incomplete or inaccurate data about you, you 
have the right to ask us to correct and/or complete the information and we will strive to 
do so as quickly as possible; unless there is a valid reason for not doing so, at which point 
you will be notified. 

You may also have the right to request erasure of your personal data or the right to 
restrict processing (where applicable) in accordance with data protection law; as well as to 
object to any direct marketing from us. Where applicable, you have the right to data 
portability of your information and the right to be informed about any automated 
decision-making we may use. 

If you would like to exercise any of these rights, you can do so by contacting us: 
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By email: enquiries@qaa.ac.uk 

By telephone: 01452 557000 

By post: Enquiries, QAA, Southgate House, Southgate Street, Gloucester, GL1 1UB 

If we receive a request from you to exercise any of the above rights, we may ask you to 
verify your identity before acting on the request; this is to ensure that your data is protected 
and kept secure. 

Processing for legitimate interests and with your consent 

As noted in the 'How we use your personal data’ section of this notice, we occasionally 
process your personal information under the legitimate interests' legal basis. Where this is 
the case, we have ensured that we have weighed your interests and any risk posed to you 
against our own interests; ensuring that they are proportionate and appropriate. 

Where you have consented to us using your details for a particular purpose, we will keep 
such data until you notify us otherwise and/or withdraw your consent. 

Processing Special Category Data 

Owing to the nature of our responsibilities and statutory duties, we may sometimes need to 
process sensitive personal information (known as special category data) about you. This 
may be for the purposes of assessing the efficacy of the policies and procedures of the 
Higher Education providers we review, or to enable us to investigate complaints or concerns. 
Where we collect such information, we will only request and process the minimum necessary 
for the specified purpose and identify a compliant legal basis for doing so. 

Lodging a complaint 

QAA only processes your personal information in compliance with this privacy notice and in 
accordance with the relevant data protection laws. If, however you wish to raise a complaint 
regarding the processing of your personal data or are unsatisfied with how we have handled 
your information, you have the right to lodge a complaint with the supervisory authority. In 
the first instance, complaints should be directed to: 

Company Secretary, QAA 

Southgate House, Southgate Street, Gloucester, GL1 1UB 

01452 557000 

qovernance@qaa.ac.uk 

If you remain concerned that your information has not been handled as described, you may 
raise your complaint with the Information Commissioner's Office: 

Information Commissioner's Office 

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 
0303 123 1113 

https://ico.orq.uk/concerns/handlinq 
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Use of cookies by QAA websites 


Cookies are small text files that are placed on your computer by websites that you visit. 

They are widely used in order to make websites work, remember your individual settings and 
preferences, and to measure how you use websites to ensure they meet your needs. 

We do not use cookies to identify individuals or collate personal data. We only use cookies 
to make our sites work better for you. 

Most web browsers allow some control of cookies through the browser settings, and you are 
able to manage and delete cookies from specific websites. 

To find out more about cookies, including how to see what cookies have been set by the 
websites you visit, and how to manage and delete them, visit All About Cookies . 

The table below explains the cookies we use on each website and why. 
www.qaa.ac.uk 


Cookie 

Name 

Purpose 

More information 

Google 

Analytics 

_utma 

_utmb 

_utmc 

utmz 


These cookies are used to collect 
information about how visitors use 
our site. This information is used to 
improve QAA's sites and to ensure 
they meet your needs. 

Overview of privacy 

at Gooale 

Opt out of Gooale 

Analytics 




All data is collected in an 
anonymous form and includes 
information such as the number of 
visitors to our websites and the 
pages they visit while they're on 
our sites. 


Google 

cookies 

GAPS 

khcookie 

NIDS 

PREF 

VISITOR 

YSC 

INFOIJJVE 

We use the YouTube video player 
and Google Maps functionality on 
our website. These are cookies set 
by Google to store your user 
preferences. 

Overview of privacy 

at Gooale 

Browse Aloud 

Browsealoudcountry 

country 

We subscribe to a service called 
BrowseAloud, which allows our 
website visitors to use the 
BrowseAloud toolbar for free. 

BrowseAloud 

website 

Standard 

ASP.NET 

cookie 

ASP.NET 

_Sessionld 

Created when session state is 
used. Expires when the browser 
closes. 

All About 

Cookies: What is a 
session cookie 

used for? 
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www.accesstohe.ac.uk and ava.accesstohe.ac.uk 


Cookie 

Name 

Purpose 

More information 

Cookie 

acceptance 

acceptcookies 

On first visiting our website, you will 
see a message at the top of your 
screen explaining that we use cookies. 

If you click to accept and hide the 
message, a cookie is stored so that 
you will not see the message appear 
again when you visit the website. Set 
to expire after 100 years. 


Google 

Analytics 

jjtma 

_utmb 

_utmc 

_utmz 

These cookies are used to collect 
information about how visitors use our 
site. This information is used to 
improve QAA's sites and to ensure 
they meet your needs. 

Overview of 
privacy at Gooale 



All data is collected in an anonymous 
form and includes information such as 
the number of visitors to our websites 
and the pages they visit while they're 
on our sites. 

Oot out of Gooale 

Analytics 

Google 

cookies 

GAPS 

khcookie 

NIDS 

PREF 

VISITOR INF01 LIVE 
YSC 

We use the YouTube video player and 
Google Maps functionality on our 
website. These are cookies set by 
Google to store your user preferences. 

Overview of 
orivacv at Gooale 

Session 

cookie 

f 

Stores the font size, if you have 
selected one of the options provided in 
the accessibility menu. Set to expire 
after 20 minutes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Session 

cookie 

homepagejmageno 

This cookie refreshes the image that 
appears in the top right-hand corner of 
the Access to HE homepage. It is 
purely for design purposes. Set to 
expire after 40 minutes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Session 

cookie 

accessibility 

Stores the contrast setting you have 
selected while using the website. Set 
to expire after 20 minutes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Session 

cookie 

Loggedln 

Stores your email address if you are 
logged in to the AVA area, so that it 
displays in the main navigation 
throughout your visit. Set to expire 

All About 

Cookies: What is 
a session cookie 

used for? 
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after 30 minutes or cleared when you 
log out. 


Standard 

ASP.NET 

cookie 

ASPXAUTH 

Created and set when you log in to the 
AVA area. Expires when the browser 
closes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Standard 

ASP.NET 

cookie 

ASP.NET_Sessionld 

Created when session state is used. 
Expires when the browser closes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Session 

cookie 

ASPSESSIONID 

Session cookies store information 
about particular choices you have 
made during your visit to the website - 
for example your preferred language 
choice if you have selected a Welsh 
language page. 

These cookies expire when you close 
your browser. 

All About 

Cookies: What is 
a session cookie 

used for? 


heer.qaa.ac.uk 


Cookie 

Name 

Purpose 

More information 

Google 

Analytics 

_utma 

_utmb 

_utmc 

utmz 

These cookies are used to collect 
information about how visitors use our 
site. This information is used to 
improve QAA's sites and to ensure 
they meet your needs. 

Overview of 
orivacv at Gooqle 

Oot out of Gooale 

Analytics 



All data is collected in an anonymous 
form and includes information such as 
the number of visitors to our websites 
and the pages they visit while they're 
on our sites. 


Standard 

ASP.NET 

cookie 

ASPXAUTH 

Created and set when you log in to the 
AVA area. Expires when the browser 
closes. 

All About 

Cookies: What is 
a session cookie 

used for? 

Standard 

ASP.NET 

cookie 

ASP.NET_Sessionld 

Created when session state is used. 
Expires when the browser closes. 

All About 

Cookies: What is 
a session cookie 

used for? 
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Twitter 

guestid 

These cookies are set by Twitter as a 

Overview of 

cookies 

remember checked on 

result of the integration of a 

orivacv at Twitter 


twll 

Twitterfeed on our website. 



twitter sess 








reviewextranet.qaa.ac.uk 


Cookie 

Name 

Purpose 

More information 

Session 

cookie 

WSS_KeepSessionAuthenticat 

ed 

Session cookies store 
information about particular 
choices you have made during 
your visit to the website. This 
cookie keeps you authenticated 
- or logged in - throughout your 
visit to the site so that you only 
have to log in once. 

All About 

Cookies: What is 
a session cookie 

used for? 



This cookie expires when you 
close your browser. 


Standard 

ASP.NET 

cookie 

ASP.NET_Sessionld 

Created when session state is 
used. Expires when the 
browser closes. 

All About 

Cookies: What is 
a session cookie 

used for? 


© The Quality Assurance Agency for Higher Education 2018 
Registered charity numbers 1062746 and SC037786 

www.qaa.ac.uk 
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